Google and other large companies find themselves in "legal limbo" over their compliance with EU data-transfer rules, the search giant's global privacy counsel said today, as EU judges prepare to review some of the methods used to shift data outside the bloc.

Under EU data-privacy laws, companies can move personal data outside the bloc via several legal instruments. These include data-transfer deals with non-EU countries, binding corporate rules between a company's different subsidiaries, and boilerplate legal contracts for transfers to non-EU countries that are approved by the European Commission.

But the lawfulness of the EU-US Privacy Shield framework and the boilerplate standard contracts are currently being challenged before EU courts. And European agreements with a dozen other countries are "at best a small patchwork solving the problem," Peter Fleischer told a conference* in Berlin.

"The whole field has always been a mess," he said. "We are in legal limbo, at best."

Instead, data transfers should be governed by a different model such as that used in Canada, he said. "If you're controller and collecting data, it's your responsibility to continue to respect the privacy standards regardless of the location of the data."

The Canadian rules mean that a Canadian company would abide by the same standards and obligations if it sends information to a data center in Mexico, for example. That wouldn't lower privacy standards, Fleischer said.

But Ireland’s top data regulator Helen Dixon rejected that idea during the same conference, saying citizens risked losing their rights. "The rights in some way have to travel," she said.